Help Center/
Cloud Adoption Framework /
Cloud Adoption Framework and Practices/
Top-Level Planning/
Landing Zone Design/
Landing Zone Design Principles
Updated on 2025-05-07 GMT+08:00
Landing Zone Design Principles
Huawei Cloud has summarized the following principles based on its practices and successful delivery of many Landing Zone projects. You can use these principles as a starting point to develop design principles that meet your enterprise requirements.
- Conway's law: According to Conway's law, the technical architecture of a system reflects the architecture of the organization that owns it. The organizational unit (OU) and account architecture of Landing Zone should be consistent with that of the company. It is recommended that the OU and account system of Landing Zone be planned based on the service architecture, geographical area structure, and IT function of the company.
- Correlation: The mapping should only cover the OUs, such as departments and branches that manage IT systems and users of IT resources. For example, there is no need to create an organization that maps to the administrative department if they do not manage, view, or operate any IT resources on the cloud. Also, there is no need to create a user with financial management permissions for financial personnel who is not responsible for cost accounting, analysis, and budget management of IT systems.
- OU design: Accounts that require the same control policies (including SCPs and tag policies) should be placed in the same OU. Control policies can be applied to that OU, and the policies will be inherited by each member account and lower-level OUs under that OU.
- Operating environment isolation: The production environment must be stable, reliable, and secure, while the development and test environments emphasize flexibility. The production environment must be isolated from the development and test environments. Stricter control policies should be used for the production environment, and looser control policies for the development and test environments.
- Service account design: For service departments, member accounts should be created based on the business units (such as subsidiaries, business units, product lines, departments, and project teams) defined by your organization.
- IT management account design: IT managerial member accounts should be created for IT departments based on their functions, such as security operations, O&M monitoring, network operations, and data platforms.
Parent topic: Landing Zone Design
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot